NHIN Direct Security Overview.. - Need Feedback

4 views
Skip to first unread message

Bashyam, Nageshwara

unread,
Sep 22, 2010, 2:50:50 PM9/22/10
to documentation...@googlegroups.com

Team,

We have created the NHIN Direct Security Overview document as part of the Documentation and Testing WG.

The link is http://nhindirect.org/NHIN+Direct+Security+Overview

The purpose of the document is to provide “A layman's explanation of trust circles and trust anchors, and how they can ensure security in NHIN Direct communications”.

Can you review this document and provide any feedback. We will target to go for consensus next week tentatively.

Please post any feedback on the wiki page itself and we will incorporate feedback appropriately.

Let us know if you need any additional information and we will be more than happy to provide.

Thanks

Dragon

Noam H Arzt, PhD

unread,
Sep 27, 2010, 4:51:02 PM9/27/10
to documentation...@googlegroups.com, Mike Berry
Dragon,

I reviewed this, and have only one comment/question. The document discusses "end to end" security, but as I understand it, if a user entrusts his cert to a HISP external to his organization, the security can only be validated up to that HISP and not beyond, right? The non-repudiation is the HISP's non-repudiation of a user it *says* it represents via cert. I just want to make sure that we are clear about what and "end" means in "end to end" in this scenario.

Do I have that right, or am I misunderstanding something?

Noam

-----
Dr. Noam H. Arzt 858/538-2220 (voice)
President, HLN Consulting, LLC 858/538-2209 (FAX)
8449 Christopher Ridge Ter. ar...@hln.com
San Diego, CA 92127 http://www.hln.com/

Moehrke, John (GE Healthcare)

unread,
Sep 27, 2010, 5:08:00 PM9/27/10
to documentation...@googlegroups.com, Mike Berry
I think we need to stick with the term. The 'deployment model' is the one that must explain itself.

John

-----Original Message-----

Noam H Arzt, PhD

unread,
Sep 27, 2010, 5:10:14 PM9/27/10
to documentation...@googlegroups.com, Mike Berry
On 9/27/2010 Moehrke, John (GE Healthcare) wrote:
> I think we need to stick with the term. The 'deployment model' is the
> one that must explain itself.

I assume "the term" you refer to is "end to end."

I was not suggesting changing it, just explaining/clarifying it.

But is my understanding correct?

Noam

Moehrke, John (GE Healthcare)

unread,
Sep 27, 2010, 9:23:12 PM9/27/10
to documentation...@googlegroups.com, Mike Berry
Sorry for the confusion. You are correct. I was saying that the issue
you bring up is not a general problem with NHIN Direct. It is a problem
with specific deployment models. I suggest that it is up the deployment
model to explain this, not the general text.
Another factor, the 'sender' chooses their HISP, so they do understand
their issues; The 'receiver' chooses their HISP, so they understand
their issues. Thus logically the sender and receiver really are the
endpoints, even if they are not technically the technical endpoint.

John

Bashyam, Nageshwara

unread,
Sep 28, 2010, 8:21:53 AM9/28/10
to documentation...@googlegroups.com, Mike Berry
Noam,

Sorry for the delayed response. I saw John already respond to the topic.
My understanding is the same as yours in the specific case that you
brought up about delegating the cert's to be handled by a HISP. Like
John points out, the handling of certs/signing and encryption will
depend largely on the deployment model chosen..

Thanks
Dragon

Reply all
Reply to author
Forward
0 new messages